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1  Introduction 


1.1  Background 

Currently,  the  design  of  U.S.  Army  Corps  of  Engineers  (USACE)  navigation 
structures  involves  considering  the  combination  of  possible  extreme  events  such 
as  barge-impact  forces  and  earthquake  loading.  Designing  to  such  arbitrary 
extreme  events  can  result  in  substantial  increases  in  the  final  design  and 
construction  costs.  However,  with  the  trend  toward  thinner,  more  economical 
structures  using  innovative  design  and  construction  techniques,  the  existing 
design  criteria  and  decision-making  process  should  be  re-examined  in  detail  to 
ensure  the  viability,  including  safety  and  cost-effectiveness,  of  such  designs. 

The  USACE  has  tried  to  establish  criteria  for  lock  wall  design  that  consider 
barge-impact  forces  and  earthquake  loads  for  various  return-period  scenarios  (for 
example,  a  usual  or  1-year  return;  an  unusual  or  500-year  return;  and  an  extreme 
or  1 ,000-year  return).  Typically,  depending  upon  the  impacts  of  the  worst-case 
scenario  on  the  safety  and  economic  development  of  the  structure’s  future,  the 
design  favors  the  larger  return  periods,  leading  to  higher  construction  costs. 

The  current  phase  of  the  investigation  reported  herein  involves  the 
development  of  a  process  to  aid  the  USACE  in  seeking  an  appropriate  balance 
among  the  risks  of  multiple-impact  hazards  and  present  and  future  costs  for  the 
design  of  innovative  lock  walls.  The  process  is  grounded  in  existing  models  for 
the  failure  modes  of  the  lock  walls,  multiple-criteria  decision-making  theory  and 
methodology,  and  the  assessment  and  management  of  risk  of  extreme  events. 

This  report  is  organized  as  follows:  the  section  below  summarizes  a  review  of 
the  current  state  of  knowledge  with  regard  to  the  design  of  navigation  locks. 
Chapter  2  explains  the  concepts  of  multiple-criteria  decision-making  and  its 
theory,  and  Chapter  3  explains  the  conceptual  framework  developed  for 
considering  multiple  hazards  to  lock  structures,  and  the  tradeoffs  that  could  be 
made  in  deciding  among  different  designs.  In  Chapter  4,  the  reliability  and  mean 
time  to  failure  due  to  multiple  failure  modes  for  navigation  structures  is 
discussed.  Finally,  Chapter  5  details  the  management  of  risk  and  outlines  how 
compound  modes  of  failure  could  be  addressed.  Appendixes  to  this  report 
provide  a  “generic”  example  problem  showing  how  the  methodology  developed 
in  Phase  1  applies  to  the  evaluation  of  navigation  locks  (Appendix  A)  and  the 
mathematical  details  for  partial  failure  modes  (Appendix  B). 
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1 .2  Review  of  Literature 


The  economic  life  of  a  typical  navigation  dam  and  lock  project  is  thought  to 
be  50  years.  Once  the  planners  establish  the  project’s  economic  life,  they  need  to 
decide  on  the  structure’s  protection,  which  must  meet  some  minimum  acceptable 
design-level  criterion.  Traditionally,  these  design  levels  have  been  specified  in 
engineering  standards,  such  as  ASCE  Standard  7-88  (1990).  The  standards 
specify  appropriate  nominal  load  values  and  combinations  of  loads  to  be  used  in 
design.  Ellingwood  (1995)  gives  the  formulas  from  these  standards  to  calculate 
the  design  load  values.  Ellingwood  (1995)  provides  the  mathematical  basis  for 
event-combination  analysis  but  does  not  show  tradeoffs  between  costs  and  risks 
among  different  design  combinations.  The  combinations  of  design  events,  X,{t), 
can  be  represented  by 

U(t)  =  Xx(t)  + X2{t)+ ...  + Xn(t)  (1) 

where  U(t)  represents  a  combination  of  structural  load  effects  due  to  operational 
and  environmental  events  that  occur  randomly.  The  maximum  of  the  combined 
load  effects,  Umax,  in  a  given  time  interval  0  <  t  <  T  is  expressed  as 

Umax=  max  U(t)  (2) 

0  <t<T 

There  are  two  primary  methods  for  event-combination  analysis:  load-crossing 
(upcrossing)  analysis  and  load-coincidence  analysis.  The  first  method  is  used  to 
calculate  the  frequency  of  a  load  that  exceeds  some  critical  level.  The  second 
method  accounts  for  the  timing  of  occurrences  for  different  loads,  which  the 
upcrossing  type  of  analysis  does  not  consider. 

Ellingwood  (1995)  discusses  different  types  of  loading  conditions — dead, 
snow,  wind,  earthquake,  flood,  operating,  and  barge-impact  loads — and  explains 
the  commonly  used  models  for  assessing  these  loads  on  an  individual  basis.  An 
example  event-combination  analysis  is  performed  using  the  load-coincidence 
method  to  find  the  probabilities  of  two  different  load  events  occurring  together  at 
a  particular  facility.  The  pairs  of  events  considered  include  operating  loads  and 
wind,  operating  loads  and  earthquake,  operating  loads  and  barge  impact,  earth¬ 
quake  and  barge  impact,  and  earthquake  and  flood.  For  the  particular  facility, 
only  the  coincidence  probabilities  for  operating  loads  and  earthquake  and  for 
earthquake  and  barge  impact  appear  significant  enough  to  warrant  additional 
possible  development  of  design  load  combinations.  The  results  are  site  specific, 
however,  and  other  facilities  should  be  studied  before  making  any  final 
conclusions. 

The  USACE  Huntington  District  has  commissioned  studies  for  the  design  of 
barge-impact  loads  for  the  lock  walls  at  Marmet  Lock  and  Dam  (Patev  2000)  and 
the  design  of  the  lock  walls  at  the  Winfield  Lock  and  Dam  (Glosten  &  Associates 
1995).  Patev  and  Glosten  both  calculate  the  maximum  impact  loads  associated 
with  specific  return  periods.  The  method  used  for  calculating  impact  loads  is 
based  on  the  methodology  contained  in  Patev  (1999).  Although  only  the  usual, 
unusual,  and  extreme  loading  conditions  are  presented  in  the  final  results,  the 
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analysis  is  probabilistically  based.  Therefore,  both  analyses  are  able  to  support 
the  current  effort  of  developing  tradeoff  analyses. 

For  a  range  of  potential  impact  loads,  Patev  and  Glosten  calculate  the  prob¬ 
abilities  that  a  collision  with  an  impact  exceeding  a  certain  level  will  occur  at  a 
landing  in  any  given  year  during  the  life  of  the  project.  To  calculate  the  maxi¬ 
mum  impact  load  results  from  scale  model,  experiments  are  required  to  deter¬ 
mine  impact  velocities  and  angles  for  a  tow.  The  mass  and  dimensions  of  barge 
tows  and  their  per-event  probabilities  are  also  needed,  as  well  as  the  life-of- 
project  forecast  utilization  for  the  number  of  lockages  per  year.  In  addition,  this 
study  shows  the  currently  used  metrics  for  quantifying  risks  of  barge  impacts  to 
navigation  structures.  The  metrics  are  the  probability  of  a  barge  impact  exceeding 
a  set  level,  namely  these:  the  per-event,  the  annualized,  and  the  life-of-project 
exceedance  probability  and  the  return  period.  As  is  well  known,  the  return  period 
in  years  is  equal  to  one  divided  by  the  annualized  exceedance  probability. 

Table  1  shows  the  metrics  considered  in  these  two  sources. 


Table  1 

Definitions  of  Risk  Metrics  Used  by  the  Corps  of  Engineers 

Metric 

Definition 

Per-event  exceedance  probability 

Probability  for  each  landing  that  the  impact-force 
level  exceeds  a  specified  value 

Annualized  exceedance  probability 

Probability  that  the  maximum  impact  force  in  any 
one  year  exceeds  a  specified  value 

Life-of-project  exceedance  probability 

Probability  that  the  maximum  impact  force  in 

M  years  exceeds  a  specified  value  ! 

Return  period 

The  average  number  of  years  between 
occurrences  of  a  collision  with  a  particular 
impact  load 

Annualized  probability  that  maximum  force  is 
less  than  a  set  level 

Probability  that  the  maximum  impact  force  in  any 
one  year  is  below  a  specified  value 

To  see  the  tradeoffs  between  costs  and  risks  of  different  lock  designs,  one 
needs  to  identify  relevant  costs.  Several  reports  available  from  the  Corps’  Web 
sites  have  been  reviewed  for  metrics  for  costs  associated  with  navigation  locks. 
Some  of  the  reports  were  checked  for  metrics  for  risks  and  damage.  Metrics  for 
costs  are  shown  in  Table  2.  There  is  some  overlapping,  in  that  some  metrics  are 
more  detailed  breakdowns  of  costs,  while  others  (such  as  those  for  life-cycle 
projects)  are  total  costs. 
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Table  2 
Cost  Metrics 


Cost  Metric 


Annualized  initial _ 

Annualized  installation 


Annualized  operational 


Annualized  maintenance 


Annualized  repair 


Annualized  rehabilitation 


Annualized  replacement  _ 


Operational  (over  a  period  of  analysis) 


Maintenance _ 

Repair _ _ 

Baseline  estimate/Total  current  working  estimate 
Fully  funded  project  cost;  includes  lands  and 
damages,  construction  features  (labor, 
equipment,  and  materials),  planning, 
engineering,  design,  and  supervision, 
administration  with  appropriate  contingencies, 
and  escalation  associated  with  each  of  these 

activities  through  project  completion. _ 

Civil  works  breakdown  structure— All  costs 
throughout  the  project  life  cycle: 

Lands  and  damages 

Relocations 

Reservoirs 

Dams 

Locks 

Fish  and  wildlife  facilities 
Power  plant 

Roads,  railroads,  and  bridges 
Channels  and  canals 
Breakwaters  and  seawalls 
Levees  and  floodwalls 
Navigation  ports  and  harbors 
Pumping  plants 
Recreation  facilities 
Flood  control  and  diversion  structures 
Bank  stabilization 
Beach  replenishment 
Cultural  resource  preservation 
Buildings,  grounds,  and  utilities 
Permanent  operating  equipment 
Reconnaissance  studies,  feasibility  studies, 
planning,  engineering,  and  design 

Construction  management _ 

Annual  project  cost 


Aids  to  navigation  (for  small-boat  navigation 
projects)  _ 


Life-cycle  project  cost 

(50  years  for  small-boat  navigation  projects) 


Direct  labor 


Direct  costs _ _ 

Indirect  costs 


Real  estate  —  buying  land  for  a  project _ 

Benefits  (decrease  in  losses  of  time  and  property 
due  to  failure  of  structure) 


Reference 


ER  1110-2-1404 _ 

ER  1110-2-1404,  ER  1105-2-100 


ER  1110-2-1404 


ER  1110-2-1404 


ER  1 1 05-2-1 00,  ER  1 1 1 0-2-1 404,  and 
ER  11 10-2-1457 


ER  1110-2-1404 _ 

ER  1110-2-1404 


ER  1105-2-100 


ER  1105-2-100 


ER  1105-2-100 


ER  1 1 1 0-2-1 1 50,  ER  1 1 1 0-2-1 302 


ER  1110-2-1302 


EM  1110-2-1615,  EM  1110-2-2904 
EM  1110-2-1615 


EM  1110-2-1615 


EP  37-1-3 


EP  37-1-3 _ 

EP  37-1-3 


ER  1105-2-100 _ 

ASCE  1998 
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The  relationships  between  a  design’s  protection  level  and  its  various  costs  are 
not  straightforward.  Though  construction  cost  increases  with  heightening  of  the 
protection  level,  maintenance,  replacement,  and  present-worth  annual  costs 
decrease.  Also,  the  potential  benefits  (decreases  in  losses  of  time  and  property 
due  to  a  shutdown)  are  greater  for  a  sturdier  structure  (ASCE  1998).  Clearly, 
there  are  tradeoffs  the  USACE  must  make  in  deciding  between  designs  of 
different  protection  levels. 

Table  3  shows  the  metrics  for  risks  employed  by  the  Corps. 


Table  3 

Risk  Metrics  and  Reference  Documents 

Risk  Metric 

Reference 

Mean  time  to  failure 

ETL  1110-2-549 

Mean  number  of  failures  over  a  specified  amount 
of  time 

ETL  1110-2-549 

Probability  of  exceedance  of  ground  motion 

EM  1110-2-6050 

Usual,  unusual,  and  extreme  load  conditions 
with  associated  annual  probabilities  of 
exceedance 

Patev  (2000) 

Design  forces  for  1-,  10-,  100-,  and  1,000-year 
events 

Patev  (2000) 

Allowable  stress 

Safety  factor 

Per-event  exceedance  probability 

Patev  (2000),  Glosten  &  Associates  (1995) 

Annualized  exceedance  probability 

Patev  (2000),  Glosten  &  Associates  (1995) 

Life-of-project  exceedance  probability 

Patev  (2000),  Glosten  &  Associates  (1995) 

Return  period  impact  force 

Patev  (2000),  Glosten  &  Associates  (1995) 

Annualized  probability  that  maximum  force  is 
less  than  a  set  level 

Cost  of  lost  business  due  to  failure  of  locks 
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2  Concepts  and  Theory  of 
Multiple-Criteria  Decision- 
Making 


The  tradeoffs  among  multiple  noncommensurate  and  often  conflicting  and 
competing  objectives  are  at  the  heart  of  risk  management.  One  is  invariably  faced 
with  deciding  the  level  of  safety  (the  level  of  risk  that  is  deemed  acceptable)  and 
the  acceptable  cost  associated  with  that  safety.  The  following  student  dilemma  is 
used  to  demonstrate  the  fundamental  concepts  of  Pareto  optimality  and  tradeoffs 
in  a  multi-objective  framework  (Chankong  and  Haimes  1983). 

A  student  working  part-time  to  support  her  college  education  is  faced  with  the 
following  dilemma  that  is  familiar  to  all  of  us: 


f  income 


Maximize < 


grade-point 


[leisure 


In  order  to  use  the  two-dimensional  plane  for  graphic  purposes,  we  will 
restrict  our  discussion  to  two  objectives:  maximize  income  and  maximize  grade- 
point  average  (GPA).  We  will  assume  that  a  total  of  70  hr  per  week  are  allocated 
for  studying  and  working.  The  remaining  98  hr  per  week  are  available  for 
“leisure  time,”  covering  all  other  activities.  Figure  1  depicts  the  income 
generated  per  week  as  a  function  of  hours  of  work.  Figure  2  depicts  the 
relationship  between  studying  and  GPA.  Figure  3  is  a  dual  plotting  of  both 
functions  (income  and  GPA)  versus  working  time  and  studying  time. 

The  concept  of  optimality  in  multiple  objectives  differs  in  a  fundamental  way 
from  that  of  a  single-objective  optimization.  Pareto  optimality  in  a  multi¬ 
objective  framework  is  that  solution,  policy,  or  option  for  which  one  can  improve 
one  objective  function  only  at  the  expense  of  degrading  another.  A  Pareto 
optimal  solution  is  also  known  as  a  noninferior,  nondominated,  or  efficient 
solution.  In  Figure  1,  for  example,  studying  up  to  60  hr  per  week  (and 
correspondingly  working  10  hr  per  week)  is  Pareto  optimal,  since  in  this  range, 
income  is  sacrificed  for  a  higher  GPA.  On  the  other  hand,  studying  over  60  hr  per 
week  (or  working  less  than  10  hr  per  week)  is  a  non-Pareto  optimal  policy,  since 
in  this  range  both  income  and  GPA  are  diminishing.  A  non-Pareto  optimal 
solution  is  also  known  as  an  inferior,  dominated,  or  nonefficient  solution. 


6 


Chapter  2  Concepts  and  Theory  of  Multiple-Criteria  Decision-Making 


Figure  1.  Income  from  part-time  work 


Figure  4  further  distinguishes  between  Pareto  and  non-Pareto  optimal 
solutions  by  plotting  income  versus  GPA.  The  line  connecting  all  the  square 
points  is  called  the  Pareto  optimal  frontier.  Note  that  any  point  interior  to  this 
frontier  is  non-Pareto  optimal.  Consider,  for  example,  policy  option  A.  At  this 
point  the  student  makes  $300  per  week  at  a  GPA  of  just  above  1,  whereas  at 
point  B  she  makes  $600  per  week  at  the  same  GPA  level.  One  can  easily  show 
that  all  points  (policy  options)  interior  to  the  Pareto  optimal  frontier  are  inferior 
points. 
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Figure  3.  GPA  versus  income 


Figure  4.  Pareto  optimal  frontier 


Consider  the  risk  of  groundwater  contamination  as  another  example.  We  can 
generate  the  Pareto  optimal  frontier  for  this  risk-based  decision-making. 
Minimizing  the  cost  of  contamination  prevention  and  the  risk  of  contamination  is 
similar  in  many  ways  to  generating  the  Pareto  optimal  frontier  for  the  student 
dilemma  problem.  Determining  the  best  work-study  policy  for  the  student  can  be 
compared  to  determining  the  level  of  safety,  that  is,  the  level  of  acceptability  of 
risk  of  contamination  and  the  cost  associated  with  the  prevention  of  such 
contamination. 

To  arrive  at  this  level  of  acceptable  risk,  we  will  again  refer  to  the  student 
dilemma  problem  illustrated  in  Figure  4.  At  point  B  the  student  is  making  about 
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hcome  ($/week) 


$600  per  week  at  a  GPA  of  just  above  1 .  Note  that  the  slope  at  this  point  is  about 
$100  per  week  for  each  1  GPA.  Thus,  the  student  will  opt  to  study  more.  At 
point  C,  the  student  can  achieve  a  GPA  of  about  3.6  and  a  weekly  income  of 
about  $250.  The  tradeoff  (slope)  at  this  point  is  very  large.  By  sacrificing  about 
0.2  GPA  the  student  can  increase  her  income  by  about  $200  per  week. 
Obviously,  the  student  may  choose  neither  policy  B  nor  C;  rather  she  may  settle 
for  something  like  policy  D,  with  an  acceptable  level  of  income  and  GPA.  In  a 
similar  way,  and  short  of  strict  regulatory  requirements,  a  decision-maker  may 
determine  how  much  of  available  resources  to  allocate  for  the  prevention  of 
groundwater  contamination  at  an  acceptable  level  of  risk  of  contamination. 

In  summary,  the  question  is,  Why  should  we  expect  environmental  or  other 
technologically  based  problems  involving  risk-cost-benefit  tradeoffs  to  be  any 
easier  than  solving  the  student  dilemma? 

A  single  decision-maker  as  in  the  student  dilemma  problem  is  not  common, 
especially  when  dealing  with  public  policy;  rather,  the  existence  of  multiple 
decision-makers  is  more  prevalent.  Indeed,  policy  options  on  important  and 
encompassing  issues  are  rarely  formulated,  traded-off,  evaluated,  and  finally 
decided  upon  at  one  single  level  in  the  hierarchical  decision-making  process. 
Rather,  a  hierarchy  that  represents  various  constituencies,  stakeholders,  power 
brokers,  advisors,  administrators,  and  a  host  of  “shakers  and  movers”  constitutes 
the  true  players  in  the  complex  decision-making  process.  For  more  on  multi¬ 
objective  analysis,  see  Haimes  and  Hall  (1974),  Chankong  and  Haimes  (1983), 
and  Haimes,  Moser,  and  Stakhiv  (1994). 
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3  Hazard  Analysis 


Several  design  events  can  cause  failure  of  a  lock  approach  structure,  including 
barge  impact,  earthquake,  operator  error,  and  the  extreme  event  of  bombing  by 
terrorists.  In  the  current  study  efforts,  the  focus  is  primarily  on  the  impact  of 
collisions  (i.e.,  barge  impacts)  and  earthquakes.  This  chapter  addresses  these  two 
failure  modes  separately.  Chapter  4  examines  the  possible  effects  and 
combination  of  these  two  failure  modes  jointly. 


3.1  Barge  Impact 

There  is  a  growing  body  of  literature  devoted  to  the  study  of  barge  impact  on 
lock  walls.  Patev  (2000)  proposed  a  computational  framework  termed 
Probabilistic  Barge  Impact  Analysis  (PBIA)  for  Marmet  Locks  and  Dam.  This 
framework  is  geared  toward  calculating  the  barge-impact  load,  provided  that 
probabilistic  information  about  the  size  and  mass  of  the  barge,  the  impact 
velocity,  and  the  impact  angles  is  relatively  known  (Patev  1 999).  Patev  (2000) 
performed  a  detailed  study  on  the  upper  guide  and  guard  walls  at  Marmet  Locks 
and  Dam  based  on  the  PBIA.  Glosten  &  Associates  (1995)  presented  a  study  on 
barge-impact  loads  for  the  Winfield  Lock  and  Dam  approach  guard  wall.  Both 
studies  show  a  similar  relationship  between  return  period  and  impact  loads. 
Figure  5  represents  this  relationship  for  the  Winfield  case. 

Allowable  maximum  stress,  a  design  criterion  for  this  type  of  structure,  is 
associated  with  the  maximum  impact  loads  the  structure  can  endure.  In  general, 
the  probability  that  a  structure  fails  can  be  determined  by  (Ellingwood  1995) 

f(^)=Zi>(F  l£0p(^)  <3) 

/ 

where 

P{F)  =  overall  probability  of  failure 
P(F\E,)  =  conditional  probability  of  failure 
P(E,)  =  probability  of  event  E 

and  the  summation  is  carried  out  over  all  possible  events.  This  assumes  the 
events  are  statistically  independent.  Of  primaiy  interest  in  this  present  study  is 
the  conditional  probability  P{F\Ej).  The  designed  maximum  impact  load  is 
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Return  Period  vs.  Barge  Impact 


Figure  5.  Return  period  versus  barge  normal  impact  force  -  Winfield  Lock 
(Glosten  &  Associates  1 995) 

defined  as  the  load  that  leads  to  P(F\E ’,)  =  1.  In  other  words,  any  impact  load 
beyond  this  level  will  cause  the  structure  to  fail,  entailing  either  full 
reconstruction  or  a  major  repair,  both  of  which  will  result  in  significant 
construction  costs.  Likewise,  the  loads  less  than  this  level  will  have  a  P(F\E,)  of 
less  than  1 . 

As  a  simplification,  it  is  assumed  that  this  type  of  load  will  cause  partial 
failure  of  the  structure.  From  a  strict  probabilistic  point  of  view,  however,  it 
could  contribute  to  the  eventual  failure  of  the  structure  as  well.  This  issue  will  be 
revisited  in  the  following  section  to  offer  a  probabilistic  treatment.  For  the  time 
being,  attention  is  focused  on  loads  exceeding  the  Designed  Maximum  Impact 
Load  (DMIL).  Given  the  DMIL,  which  Ellingwood  (1995)  somewhat  considered, 
one  would  like  to  know  the  mean  time  to  failure  (MTTF).  If  the  probabilistic 
distribution  of  the  impact  load  is  known  (i.e.,  probability  density  function  or  pdf), 
then  the  MTTF  can  be  calculated  via  evaluating  the  exceedance  probability  at  the 
DMIL.  The  probability  that  an  impact  would  exceed  a  certain  level  is  shown  in 
Figure  6  as  the  area  under  the  curve  (pdf)  to  the  right  of  that  amount.  Specifi¬ 
cally,  if  the  exceedance  probability  at  the  DMIL  is  1/n  ,  each  collision  has  a 
chance  of  exceeding  the  DMIL  of  1  In.  Furthermore,  on  average,  n  collisions 
occur  before  one  that  exceeds  the  DMIL  occurs.  If  the  mean  interarrival  timeof 
collisions  is  T,  then  the  MTTF  is  nf  because  n  collisions  that  occur  every  f 
time  unit  are  necessary  for  a  failure.  The  MTTF  is  the  same  as  the  return  period 
of  the  collision  that  has  an  impact  magnitude  equal  to  or  greater  than  the  DMIL. 
One  can  find  the  return  period  by  conducting  a  PBIA  if  input  data  are  provided. 
Figure  7  shows  the  MTTF  for  the  Winfield  Lock  and  Dam. 
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Figure  6.  Probability  density  function  of  impact  load 


Apart  from  complete  failure,  one  may  also  be  concerned  with  other  significant 
but  less  severe  collisions  that  may  call  for  structural  repair.  The  severity  of  an 
impact  can  be  defined  to  be  the  ratio  of  the  estimated  repair  cost  to  the  estimated 
reconstruction  cost.  The  severity  is  thus  typically  less  than  or  equal  to  1 .  The 
exact  relationship  between  the  severity  and  the  impact  load  might  be  determined 
through  historical  data  and,  in  general,  for  any  given  impact,  the  severity  may 
contain  uncertainty  (e.g.,  described  by  a  range  or  a  probability  distribution).  This 
point  will  be  addressed  in  Chapter  5  as  a  probabilistic  model  for  the  severity.  At 
this  point,  we  will  assume  a  deterministic  exponential  relationship  between  these 
two  variables: 
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(4) 


S  = 


epx-\ 

ep-l 


where 

S  =  severity,  ranging  between  0  and  1 

j}=  parameter  to  be  determined  from  historical  data 

Actual  Impact  Load 

x  = - — — ; — - 

Designed  Maximum  Impact  Load 

A 

Figure  8  depicts  the  severity-impact  load  relationship  for  the  cases  /?  =  2,  5,  10. 


Figure  8.  Severity,  p  versus  impact  load 

For  the  following  discussion,  the  nominal  value  of  f3  is  assumed  to  be  5.  For 
the  sake  of  simplicity,  only  one  representative  line  is  drawn  for  each  of  the 
impact  load  cases  discussed  before — usual,  unusual,  and  extreme.  Figure  9  shows 
the  relationship  between  the  DMIL  for  each  case  and  severity.  The  lines  shown  in 
Figure  9  indicate  that  a  tradeoff  is  needed  when  designing  the  navigation 
structure  because  of  the  multi-objective  nature  of  this  problem. 

For  instance,  if  a  relatively  economical  design  with  a  designed  maximum 
impact  load  of  1,000  kips  (4,450  kN)  is  favored,  then  an  impact  with  a  100-year 
return  period  will  result  in  a  damage  with  severity  0.47,  and  an  impact  with  a 
1,000-year  return  period  will  result  in  a  damage  with  severity  0.78.  On  the  other 
hand,  if  a  more  sturdy  design  is  desired,  such  as  one  with  a  designed  maximum 
impact  load  of  1,600  kips  (7,120  kN),  then  an  impact  with  a  return  period  of 


Chapter  3  Hazard  Analysis 


13 


100  years  will  result  in  a  damage  with  severity  0.09  only,  and  an  impact  with  a 
return  period  of  1,000  years  will  result  in  a  damage  with  severity  0.127  only.  Of 
course,  such  a  sturdy  design  is  expected  to  be  much  more  costly.  Hence,  it  is 
important  to  maintain  a  balance  between  cost  and  sturdiness.  To  achieve  such  a 
goal,  a  comprehensive  tradeoff  analysis  is  necessary  (Haimes  1998). 


3.2  Earthquake 

A  method  of  calculating  the  peak  ground  acceleration  (PGA)  and  return 
period  using  probabilistic  methods  is  termed  a  Probabilistic  Seismic  Hazard 
Analysis  (PSHA)  and  is  discussed  in  detail  in  Engineer  Manual  (EM)  1 1 10-2- 
6050.  This  technique  allows  one  to  uncover  the  relationship  between  the  level  of 
peak  ground  acceleration  from  an  earthquake  and  the  annual  frequency  of 
exceedance  of  that  level,  provided  that  the  relevant  statistical  information  is 
available.  Examples  of  required  information  for  a  PSHA  include  the  following: 
locations  of  the  seismic  sources,  annual  frequency  of  occurrence  of  earthquakes 
of  given  magnitude,  and  probability  of  an  earthquake  of  given  magnitude  at  a  site 
that  is  at  a  certain  distance  from  the  source.  Figure  10  shows  a  typical  hazard 
curve  as  a  result  of  a  PSHA  calculation  (EM  1 110-2-6050). 


14 


Chapter  3  Hazard  Analysis 


Figure  10.  Hazard  curve  for  PSHA  (from  EM  1 110-2-6050) 


Figure  10  shows  that  the  relationship  between  the  return  period  and  the 
logarithmic  value  of  the  ground  motion  (i.e.,  PGA)  is  approximately  a  straight 
line.  This  figure  suggests  that,  as  a  first-order  approximation,  one  may  assume  an 
exponential  relationship  between  the  level  of  ground  motion  and  the  return 
period  as  follows: 

T=e13 671a  +  66.076  (5) 


where 


T  =  return  period  in  years 

a  =  peak  ground  acceleration  evaluated  in  terms  of  the  gravitational 
acceleration,  g 

The  parameters  for  Equation  5  were  estimated  from  the  results  of  the  PHSA 
shown  in  Figure  10. 
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Similar  to  the  DMIL  in  the  barge-impact  case,  another  design  criterion  for  a 
navigation  structure  should  be  the  maximum  ground  motion  (PGA)  that  the 
structure  can  withstand.  In  other  words,  the  concern  is  with  the  level  of  ground 
motion  beyond  which  the  structure  will  fail  and  therefore  will  require  a  complete 
reconstruction.  Given  the  Designed  Maximum  Ground  Motion  (DMGM),  the 
MTTF  due  to  earthquakes  can  be  calculated.  If  the  probabilistic  distribution  of 
the  earthquake  load  in  terms  of  the  ground  motion  is  known,  then  the  MTTF  can 
be  calculated  via  evaluating  the  exceedance  probability  at  the  DMGM.  Specifi¬ 
cally,  if  the  exceedance  probability  at  the  DMGM  is  1  In,  and  the  mean  time 
between  earthquakes  is  f ,  then  the  MTTF  is  nf . 

On  the  other  hand,  the  quantity  nf  is  nothing  but  the  return  period  of  the 
earthquake  that  has  a  resulting  ground  motion  equal  to  or  greater  than  the 
DMGM.  Thus,  the  entire  task  of  finding  the  MTTF  comes  down  to  finding  out 
the  return  period  of  an  earthquake  of  specific  magnitude.  This  can  be  accom¬ 
plished  by  performing  a  PSHA  if  all  necessary  information  is  available  and 
provided.  Figure  1 1  shows  the  MTTF  for  a  prototypical  case  provided  by 
EM  1110-2-6050. 


Mean  Time  To  Failure  Due  To  Earthquake  Load 


Figure  1 1 .  Mean  time  to  failure  due  to  earthquake  load 

As  discussed  previously,  in  addition  to  the  complete  failure,  one  should  also 
be  concerned  with  other  significant  but  less  severe  earthquake  consequences  that 
may  cause  the  structure  to  require  repairs.  Similar  to  the  collision  case,  the 
severity  of  an  earthquake  impact  is  defined  to  be  the  ratio  of  the  repair  cost  to  the 
complete  reconstruction  cost.  Obviously,  the  severity  should  be  less  than  or  equal 
to  1 .  The  exact  relationship  between  the  severity  and  the  ground  motion  should 
be  determined  using  historical  data  and  studies  related  to  the  project.  In  general, 
for  any  given  earthquake  load,  the  severity  may  be  uncertain,  that  is,  described  by 
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a  range  or  a  probabilistic  distribution  (pdf).  This  point  will  be  addressed  further 
in  Chapter  5. 

An  exponential  relationship  between  these  two  variables  is  assumed, 


where 

j3  =  parameter  to  be  determined  by  historical  data  and  related  study 
Actual  Ground  Motion 

X  —  - — - - - - - 

Designed  Maximum  Ground  Motion 


* 

Figure  12  depicts  the  severity-impact  load  relationship  for  (3 =  10,  30,  40.  In  the 
following  discussion  and  example  for  earthquake  loads,  the  nominal  value  of  [3 
is  taken  as  30. 


Similar  to  the  explanation  from  Figure  9  for  barge  impact,  Figure  13  describes 
the  relationship  between  the  DMGM  and  the  severity.  Again,  for  the  sake  of 
simplicity,  only  one  representative  line  is  drawn  for  each  of  the  load  case  events: 
usual,  unusual,  and  extreme.  These  lines  indicate  that  a  tradeoff  is  needed  when 
designing  the  navigation  structure  because  of  the  multi-objective  nature  of  the 
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Figure  13.  Designed  maximum  ground  motion  versus  severity 


problem.  For  instance,  if  a  relatively  economical  design  with  a  designed 
maximum  ground  motion  of  only  0.275g  is  favored,  then  an  earthquake  load  with 
1 00-year  return  period  will  result  in  a  damage  severity  of  0.09,  while  an 
earthquake  load  with  a  500-year  return  period  will  completely  collapse  the  lock 
structure  with  a  severity  of  1 .  If  a  more  robust  design  with  a  maximum  ground 
motion  of  0.5g  is  desired,  then  an  earthquake  load  with  a  return  period  of 
1 00  years  will  have  minimal  effect  on  the  structure,  and  an  earthquake  load  with 
return  period  of  500  years  will  result  in  a  damage  with  severity  of  0.03  only. 
However,  for  this  case,  an  earthquake  load  with  a  1,000-year  return  period  will 
result  in  complete  collapse  of  the  structure. 

On  the  other  hand,  if  the  designed  maximum  ground  motion  is  0.55g,  then  an 
earthquake  load  with  return  period  of  1,000  years  will  result  in  a  damage  with  a 
severity  of  only  0.07.  Since  such  a  robust  design  is  expected  to  be  much  more 
costly  to  actually  implement,  a  rationally  defined  balance  between  cost  and 
sturdiness  needs  to  be  maintained.  To  achieve  such  a  goal,  a  comprehensive 
tradeoff  analysis  will  be  required  (Haimes  1998). 
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4  Lock  Reliability  Due  to 
Multiple  Failure  Modes 


4.1  Basic  Reliability  Analysis 

Before  proceeding,  a  few  important  reliability  concepts  will  be  addressed 
(Ross  1997,  Haimes  1998): 

Reliability,  R(t):  probability  that  the  lock  performs  its  desired  function 
throughout  the  time  interval  (0,  /),  given  that  it  was  operating  properly  at  t=  0. 

Unreliability,  Q(t):  probability  that  the  lock  fails  during  a  time  interval  (0,  /), 
given  that  it  was  operating  properly  at  t  =  0.  Obviously,  Q(t)  =  1  -R(t). 

Failure  density, /(if):  probability  density  of  failure.  Namely,  the  term  f(t)dt  is 
the  probability  that  the  lock  fails  in  the  time  interval  (t,  t+dt).  Mathematically, 

f(t)  ~  dQ(t)/dt 

Failure  (hazard)  rate,  Aft):  the  term  A(t)dt  is  the  conditional  probability  of 
lock  failure  in  the  time  interval  ( t ,  t+dt),  given  that  no  failure  occurs  up  to  time  t. 
In  other  words,  Aft)  =f(t)/R(t). 

Mean  time  to  failure  (MTTF),  T :  the  expected  time  the  lock  will  operate 
properly  before  it  fails.  Mathematically, 


OO 

T  =  ^R(t)dt 
o 

In  general,  R(t)  is  a  monotonically  decreasing  function.  It  is  important  to  note 
that  the  reliability  function  is  directly  tied  to  the  level  of  design.  A  stronger 
design  generally  results  in  a  slower  decrease  in  reliability  overtime.  Figure  14 
shows  a  comparison  of  different  design  levels  in  terms  of  a  generic  reliability. 
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t  (Time) 


Figure  14.  Reliability  over  time 

If  the  probability  of  a  barge  impact  whose  magnitude  exceeds  the  designed 
maximum  impact  load  (DMIL)  during  a  typical  year  is  1  In,  the  reliability  of  the 
lock  at  time  t  is 

*.(')= i--  <7> 

n 

First,  the  conditional  probability  of  failure  is  evaluated  at  Zth  year  given  that  no 
failure  occurs  during  years  1  through  t- 1.  This  probability  can  be  calculated  using 
Bayes’  theorem  (Ross  1997). 

P{ failure  at  year  1}  =  — 

/’{failure  at  year  2|  no  failure  at  year  1 } 

/’{failure  at  year  2,  no  failure  at  year  1} 

/•{no  failure  at  year  1} 

.P{no  failure  at  year  1  |failure  at  year  2}  Fj  failure  at  year  2} 

P{no  failure  at  year  1} 


n 


n 


1 

n—  1 


P{  failure  at  year  3  |  no  failure  at  year  2,  no  failure  at  year  1 } 


20 


Chapter  4  Lock  Reliability  Due  to  Multiple  Failure  Modes 


P{ failure  at  year  3,  no  failure  at  year  2,  no  failure  at  year  1} 

P{no  failure  at  year  2,  no  failure  at  year  1} 

P{no  failure  at  year  2,  no  failure  at  year  1  |failure  at  year  3}  P{ failure  at  year  3} 
P{no  failure  at  year  2,  no  failure  at  year  1} 


1 


1 

n-2 


By  the  same  reasoning,  it  is  concluded  that 


/*{  failure  at  year  t  +  1  |no  failure  from  year  1  to  year  t}  = 


n- 


(8) 


It  is  interesting  to  point  out  that  this  probability  is  nothing  but  failure  rate 
A( t  -  1)  in  a  discrete  case.  Having  realized  this,  the  following  relationship  for 
reliability  exists 


(  t 


Rc(t)  =  exp 


=  exp 


-J  X{t)d 

o 

[ln(n-r)|o] 


(9) 


Thus,  the  conclusion  is  that  the  reliability  of  the  navigation  lock  is  1  -  t/n,  where 
n  is  the  return  period  of  the  barge  impact  that  has  a  load  exceeding  DMIL. 

Figure  15  shows  the  reliability  as  a  function  of  time.  One  interesting  thing  to  note 
is  that  if  the  return  period  is  very  long,  namely  if  n  is  a  very  large  number,  then 
for  those  years  satisfying  t  «  n  we  have  1  -  t/n  ~etJn.  This  means  that,  for  a 
fairly  long  period  of  time,  the  reliability  function  can  be  approximated  by 
exponential  function.  This  approximation  is  not  just  a  mathematical  convenience. 
It  can  provide  added  insight  into  the  analysis,  as  will  be  shown  below. 

Likewise,  if  the  probability  that  an  earthquake  whose  magnitude  in  terms  of 
ground  motion  exceeds  the  designed  maximum  ground  motion  (DMGM)  strikes 
during  a  year  is  Mm,  then  the  reliability  of  the  lock  is 


JtfrH-1  00) 

y  m 

If  both  collision  and  earthquake  are  under  consideration  and  independent,  then 
the  reliability  of  the  lock  structure  due  to  these  events  is  as  follows: 


R(t)  =  Rc{t)Rq{t)  = 


(,  t\ 

1  — 

1  — 

m) 

n) 

(11) 
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Figure  1 5.  Reliability  over  time  for  individual  and  joint  cases 

Figure  15  shows  the  reliability  as  a  function  of  time  for  individual  and  joint 
cases. 

4.2  Mean  Time  to  Failure  Due  to  Single  Failure 
Mode:  A  Probabilistic  Approach 

In  Section  3. 1  it  was  stated  that  the  probability  that  a  structure  fails  could  be 
determined  by  the  equation  (Ellingwood  1995) 

W  =  2>(F \Ei)piEi)  (3’bis) 


However,  the  contribution  of  loads  below  the  DMIL  to  the  failure  of  the 
structure  was  not  explicitly  addressed.  From  a  strict  probabilistic  point  of  view, 
however,  such  loads  could  also  contribute  to  failure.  If  this  effect  is  taken  into 
consideration,  then 


T  =  t 


=  T 


/■(F|£,)  P(F\E 2)  P(F\E„) 

- 1 - r . . .  t 

«,  n7  n. 


-i-i 


r(F\E.) 


I-I 


T 


=  T 


-1 


P(F) 


(12) 
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where  f  is  the  mean  arrival  time  of  the  events  and  T  is  the  mean  time  to  failure. 
The  probabilities  of  load  intervals  would  be  defined  as  shown  in  Figure  16.  In 
drawing  the  conclusion,  it  was  assumed  that  event  E,  (/'  =  1,2.. . k )  constitutes  a 
counting  process  with  a  mean  arrival  time 


Figure  16.  Probabilities  of  load  intervals 


4.3  Mean  Time  to  Failure  Due  to  Multiple  Failure 
Modes 

In  this  section,  the  joint  effect  of  barge  impact  and  earthquake  loadings  is 
investigated  with  regard  to  the  MTTF  of  the  lock  structure.  First,  a  few  working 
assumptions  are  needed  to  understand  the  development  of  the  joint  MTTF  for  a 
lock. 

4.3.1  Independence  of  attributes 

Two  decision  variables  have  been  used  in  this  report:  the  designed  maximum 
impact  load  and  the  designed  maximum  ground  motion  due  to  an  earthquake.  In 
physical  reality,  these  two  variables  may  have  some  kind  of  interdependence.  For 
instance,  an  earthquake  may  cause  a  towboat  to  lose  control  and  thereby  hit  a 
lock  with  enormous  momentum.  Nevertheless,  it  is  an  acceptable  assumption  in 
the  conceptual  design  stage  to  assume  that  these  two  variables  are  totally 
independent.  The  engineering  practice  within  USACE  seems  to  be  consistent 
with  this  assumption  (EM  1 1 10-2-6050,  Patev  1999). 

4.3.2  Independence  of  event  series 

Assume  that  different  event  series  are  independent  and,  more  specifically,  that 
as  distinctive  event  series,  collisions  and  earthquakes  constitute  independent 
stochastic  processes.  The  compound  effect  of  multiple  failure  modes  can  be 
described  using  a  fault  tree  methodology  (U.S.  Nuclear  Regulatory  Commission 
1981,  Haimes  1998). 
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The  joint  effect  of  the  multiple  causes  can  be  characterized  by  an  “or”  gate,  as 
shown  in  Figure  17. 


Figure  1 7.  Fault  tree  for  compound  failure 


If  Rc(t)  and  Rq(t)  denote  the  reliability  of  the  lock  due  to  collision  and 
earthquake,  respectively,  then  the  reliability  of  the  lock  due  to  both  causes  is 

R(t)  =  Rc(t)Rq(t)  (13) 

Likewise,  if  bombing  by  terrorists  is  another  cause  of  failure,  then  correspond¬ 
ingly,  the  reliability  of  the  lock  can  be  written  as 

R(t)  =  Rc(t)Rq(t)Rb(t)  (14) 

where  Rb(t)  is  the  reliability  of  the  lock  due  to  bombing  alone.  Thus,  the  fault  tree 
due  to  the  three  causes  is  as  shown  in  Figure  18. 

As  pointed  out  previously,  for  a  significant  part  of  the  life  cycle,  the 
reliabilities  due  to  individual  failure  modes  can  be  approximated  as  exponential 

distributions,  that  is,  Rc  ( t )  =  <T4',  Rq  (t)  =  e~Xq' ,  etc.  If  this  is  performed  in  this 

way,  then  the  overall  reliability  of  the  lock  is  simply  given  as 
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R^RX^R^e-^^' 


(15) 


which  is  an  exponential  distribution  as  well.  It  is  easy  to  show  mathematically 
that  the  mean  time  to  failure,  T,  is  given  as 


T  = 


1 

K  + 


1 


TT 
T  +T 

c  '  *q 


(16) 


Exponential  reliability  implies  that  the  failure  or  hazard  rate  does  not  vary 
with  time,  which  is  not  strictly  true,  even  though  the  failure  of  the  system 
considered  here  is  not  a  result  of  an  internal  flaw  but  a  consequence  of  single  or 
multiple  external  impacts.  As  a  matter  of  fact,  since  the  lock  is  a  structure  that 
undergoes  degradation  (aging  or  time  dependence)  over  time,  it  is  expected  that 
the  failure  rate  should  increase  over  time  as  well  (see  Equation  7).  A  nonvaiying 
failure  rate  can  be  used  as  an  approximation  only  when  the  time  under  considera¬ 
tion  is  significantly  shorter  than  the  planned  life  cycle. 


4.3.3  Failure  modes  as  Poisson  arrivals 

By  assuming  that  the  reliability  due  to  each  individual  failure  mode  observes 
an  exponential  distribution,  another  assumption  is  implied:  that  each  of  the 
failure  modes  constitutes  a  Poisson  process  on  its  own.  A  number  of  authors 
(Larrabee  and  Cornell  1981,  Pearce  and  Wen  1984,  Ellingwood  1995)  have 
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modeled  the  occurrence  of  potentially  hazardous  events  giving  rise  to  time- 
dependent  structural  loads  as  a  Poisson  process.  Mathematically,  one  can  show 
that  if  there  are  two  series  of  discrete  events,  E\  and  E2,  each  of  them  constituting 
a  Poisson  process  (Ross  1997)  on  its  own,  then  the  compound  process,  or  the 
combination  of  these  two  processes,  also  constitutes  a  Poisson  process.  The 
arrival  rate  of  this  compound  process  is  the  summation  of  the  arrival  rates  of  the 
two  individual  processes.  In  our  discussion,  instead  of  modeling  all  incoming 
hazardous  events,  the  assumption  is  to  model  the  incoming  events  that  lead  to 
failure  of  the  structure  as  a  Poisson’s  process  as  well.  As  an  example,  assume  that 
barge  impact  events  exceed  the  DMIL.  Those  earthquakes  that  generate  ground 
acceleration  exceeding  the  DMGM  also  follow  a  Poisson  process. 

Observation  1.  If  a  system  fails  due  to  any  event  in  any  one  of  the  following 
N  distinct  series  of  events,  E\ ,  E2 . . .  E^ . . .  E^ ,  and  if 

( 1 )  Event  in  series  Et  (/  =  1 ,2 . . .  N)  has  a  mean  return  period  T, 

(2)  Series  E,  (i  =  1,2.. . N)  constitutes  a  Poisson  process 

Then,  the  mean  time  for  the  system  to  fail  is 


T  = 


1 


■jr  +  -jr  +  ••••  + 

h  h 


JL 

TN 


(17) 


{Proof:  See  Appendix  A.) 

Remark :  Since  =  we  know  that  T  <Tt,  i  =  l,2...N. 

Tt  Ti  T2  Tn  T 

This  means  that  the  MTTF  of  the  system  due  to  the  multiple  causes  is  less 
than  the  MTTF  due  to  any  single  cause.  Observation  1  makes  it  possible  to 
evaluate  the  new  MTTF  given  that  the  individual  times  are  known. 

Applying  this  result  to  our  problem,  the  MTTF  of  a  navigation  lock  is 
shortened  by  a  multiplicity  of  causes.  In  other  words,  the  MTTF  of  the  system 
due  to  both  collision  and  earthquake  is  shorter  than  it  would  be  if  there  were  one 
cause  only  (either  collision  or  earthquake).  Mathematically,  if  the  MTTF 
allowing  for  collision  only  is  7j ,  and  that  allowing  for  earthquake  only  is  T2 , 

TT 

then  the  MTTF  due  to  both  causes  is  — — —  .  Furthermore,  if  the  system  is  also 

T{+T2 

subject  to  failure  due  to  terrorist  bombing  for  example,  and  the  return  period  for 
the  bombing  is  T3 ,  then  the  actual  MTTF  is 


T  = 


TXT2+T2T3+T3TX 


(18) 
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4.3.4  Failure  modes  as  general  stochastic  arrivals 

Now  consider  the  failure  modes  in  a  more  general  setting.  Consider  a 
counting  process  N(t)  with  rate  A.  Suppose  J{A,  k)  denotes  the  point 
probability  distribution  that  N(t+X)-N(t)  =  k, £  =  0,1,2...,  foragiven  t.  Then 
f (A,k)  must  satisfy  the  following  relationships: 

(1)  f{A,k)  >0 

oo 

(2)  £/(*t)=l  (,9) 

k= 0 

(3)  fjkf(A,k)  =  A 
6=0 

Conversely,  any  f(A,k )  that  satisfies  relationship  (1)  -  (3)  in  Lemma  2  defines  a 
counting  process  with  rate  A . 

Now  note  the  following  important  observations: 

Observation  2.  Let  Nx  (t)  and  N2  (t)  denote  two  counting  processes  with 
rates  A  and  fl ,  respectively.  Let  / (A,  k )  denote  the  point  probability 
distribution  that  Nl(t  +  \)-Ni(t)  =  k,k  =  0,\,2-...,  for  a  given  t,  and  g(jU,k ) 
denote  the  point  probability  distribution  that  N2(t  +  V)- N2(t)=:k,k  =  0,l,'2---, 
for  a  given  t.  The  compound  process  of  Nx  (t)  and  N2  (t)  is  also  a  counting 
process  with  rate  A  +  JU. 

(Proof:  See  Appendix  A.) 

Observation  3.  If  a  system  fails  due  to  an  event  in  any  one  of  the  following 
N  distinct  series  of  events,  E\,E2...El...  EN ,  and  if 

( 1 )  Event  in  series  E ,  (i  =  l, 2... N)  has  a  mean  return  period  Tt 

(2)  Series  Et{i  =  \,2...N)  constitutes  a  counting  process 
Then,  the  mean  time  for  the  system  to  fail  is 
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This  observation  is  a  generalization  of  Observation  1 .  Again,  since 

_1_  J_  J_  J_  =  J_ 

T*  Tx+  T2+"’  Tn  T 

it  is  known  that  T  <Tt,  i  =  l,2...N.  This  means  that  the  mean  time  to  failure  of 

a  system  due  to  the  multiple  causes  is  less  than  the  MTTF  due  to  any  single 
cause.  Using  this  result,  the  evaluation  of  the  MTTF  of  a  navigation  lock  due  to 
multiple  causes  is  based  on  the  knowledge  of  times  of  occurrence  for  each 
individual  cause.  Owing  to  this  observation,  there  is  no  longer  a  need  to  rely  on 
the  failure  modes  being  Poisson  processes.  From  a  reliability  standpoint,  often 
the  reliability  function  R(t)  is  not  known  exactly  due  to  scarcity  of  data. 
Typically,  what  is  known  with  a  certain  degree  of  confidence  is  the  MTTF. 
Observation  3  simply  states  that  if  the  mean  times  to  failure  due  to  the  individual 
causes  are  known,  then  one  can  evaluate  the  MTTF  due  to  multiple  causes 
without  knowledge  of  the  reliability  function. 

Table  4  shows  the  mean  times  to  failure  due  to  collision  and  earthquake  for 
different  DMIL  and  DMGM. 
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I  Table  4 

I  Mean  Time  to  Failure 

Due  to  Collision  and  Earthquake 

DMIL,  kips 

DMGM,  g 

Mean  Time  to  Failure,  years 

Ti,  years1 

T2,  years1 

0.2 

1.952 

2 

81.473 

680 

0.2 

4.710 

5 

81.473 

0.2 

30.984 

50 

81.473 

0.2 

44.895 

100 

81.473 

920 

0.2 

70.057 

500 

81 .473 

S  950 

0.2 

75.335  i 

1,000 

81.473 

610 

0.25 

1.959 

2 

96.576 

680 

0.25 

4.753 

5 

96.576 

810 

0.25 

32.944 

50 

96.576 

840 

0.25 

49.129 

100 

96.576 

920 

0.25 

80.942 

500 

96.576 

950 

0.25 

88.071 

1,000 

96.576 

610 

0.3 

1.968 

2 

126.494 

680 

0.3 

4.809 

5 

126.494 

810 

0.3 

35.835 

50 

126.494 

o 

OD 

0.3 

55.848 

100 

126.494 

920 

0.3 

100.954 

500 

126.494 

950 

0.3 

112.290 

1,000 

126.494 

610 

0.35 

1.978 

2 

185.759 

680 

0.35 

4.868 

5 

185.759 

810 

0.35 

39.395 

50 

185.759 

0.35 

65.005 

100 

185.759 

0.35 

135.440 

500 

185.759 

950 

0.35 

156.658 

1,000 

185.759 

610 

0.4 

1.986 

2 

303.156 

680 

0.4 

4.918 

5 

303.156 

810 

0.4 

42.920 

50 

303.156 

840 

0.4 

75.195 

100 

303.156 

920 

0.4 

188.728 

500 

303.156 

950 

0.4 

232.632 

1,000 

303.156 

610 

0.45 

1.992 

2 

535.708 

680 

0.45 

4.953 

5 

535.708 

810 

0.45 

45.731 

50 

535.708 

840 

0.45 

84.269 

100 

535.708 

920 

0.45 

258.619 

500 

535.708 

950 

0.45 

348.834 

1,000 

535.708 

610 

0.5 

1.995 

2 

996.369 

680 

0.5 

4.975 

5 

996.369 

0.5 

47.610 

50 

996.369 

I 

0.5 

90.878 

100 

996.369 

1  920 

0.5 

332.928 

500 

996.369  J 

1  T]  is  the  mean  time  to  failure  due  to  collisions  only.  T2  is  the  mean  time  to  failure  due  to 
earthquakes  only. 
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5  Risk  Management  of 
Compound  Failure  Modes 


Johnson-Payton  (1997)  described  a  methodology  for  risk  management  of 
compound  failure  modes.  The  methodology  can  be  outlined  as  follows: 

First,  consider  a  system  that  can  fail  in  n  different  ways  (failure  modes). 
Failure  mode  i  is  described  by  the  binary  random  variable,  x, ,  which  equals  1  if 
failure  mode  i  occurs  and  0  otherwise.  Suppose  there  are  only  two  failure  modes. 
Let  pkl  denote  the  probability  of  x,  =  k  and x2=l .  Let  ckl  represent  the 
consequence  of  x,  =  k  and  x2  =  /  ,  which  can  be  monetary  loss,  lives  lost, 
property  destruction,  or  any  combination  of  these.  In  general  ckl  is  a  random 
variable  with  probability  density  function  / (ckl ) . 

Given  the  above  information,  one  can  calculate  the  expected  cost  {  Z?[c(x)  | } 
and  the  partitioned  conditional  expected  cost  corresponding  to  extreme  risk  for 
each  individual  failure  mode  as  well  as  for  the  compound  failure  modes.  In 
general,  different  policy  options  correspond  to  different  cost-risk  relations.  Thus, 
a  multi-objective  tradeoff  analysis  provides  a  conceptual  framework  for 
addressing  cost-risk  tradeoffs  due  to  compound  failure  modes.  However, 
Johnson-Payton  (1997)  does  not  consider  the  continuous  aspect  of  many  real 
problems.  In  fact,  between  perfection  and  complete  failure  there  is  normally  a 
spectrum  of  “partial”  failures,  which  correspond  to  vaiying  levels  of  risks. 
Mathematically,  this  means  x  can  be  a  continuous  random  variable,  taking  on  real 
values  between  0  and  1,  with  0  corresponding  to  perfection  and  1  corresponding 
to  complete  failure.  In  this  section,  we  will  extend  this  idea  to  compound  failure 
modes  analysis  and  apply  the  methodology  to  perform  a  cost-risk  analysis  for  the 
lock  and  dam  problem. 


5.1  Conceptual  Framework  of  Partial  Failure 
Analysis 

A  barge  impact  on  a  navigation  structure  may  cause  the  system  to  function 
partially  while  repair  work  is  under  way.  This  illustrates  the  need  to  address  the 
partial  nature  of  failure. 
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Let  *  =  (x, ,  x2 . . .  *„  )  denote  a  vector  of  failure  mode,  termed  a  failure  vector, 
where  **€[0,1],  i  =  l,2...n.  Let  g(x)  =  g(xux2...x„)  be  the  probability  density 
function  of*.  Let  c(*)  be  the  consequence  (e.g.  lives  lost  or  monetary  damage) 
of  failure*.  Lety[c(*)]  denote  the  probability  density  function  of  c(x)  .  Then,  the 
expected  damage  f5  can  be  calculated  as 

E[c(x)\ 

-JH  c(x 1  ,x2...xn  )f[c(xx ,  *2 . . .  xn  )]g(*!  ,x2...xn)8cdxdx2...  dxn 

and  the  extreme  risk  function  is 


i?[c(x)  |  c(x)  >  r] 

jj c(*i ,x2...xn )/[c(x, ,x2...xn )]g(*! , *2  •  •  •  xn )8cdxx dx2  ... dx„ 

_  c>r _ _ _ _ _ 

J  f[c{x\ ,x2...x„ )]g(x, ,x2...xn )8cdxx dx2  ... dxn 

c>r 


(21) 


where  r  is  the  partitioning  point  in  the  region  of  extreme  risk. 

Different  failure  modes  can  be  interdependent.  For  example,  an  earthquake 
may  also  cause  collisions  and,  eventually,  the  concurrent  action  of  these  two 
failure  modes  can  result  in  the  failure  of  a  navigation  lock.  Nevertheless,  in  many 
cases  it  is  a  reasonable  approximation  to  assume  the  independence  of  different 
failure  modes.  For  example,  using  the  probabilistic  event  combination 
techniques,  Ellingwood  (1995)  has  shown  that  the  probability  of  a  simultaneous 
earthquake  and  barge  impact  is  on  the  order  of  1015.  Thus,  from  any  practical 
standpoint,  these  two  types  of  events  can  be  considered  as  independent.  Needless 
to  say,  the  independence  assumption  can  bring  about  significantly  simpler 
mathematical  treatment.  One  direct  consequence  of  the  independence  assumption 
is  that,  if  the  independence  assumption  holds,  then  xl,x2...xn  are  independent 
random  variables.  Thus,  Equations  20  and  21  lead  to  Equations  22  and  23. 


JJ  jW*,)+...+c„  (Xn  ))/i  [C,  (*1  )].../„  [cn  (x„  )]g!  (*1 ) . . .  gn  (xn  )8cx  ...8cndxx...dxn 

n 

=  X  JJc;  (*,- )/ .  [cx  (Xj  )]g;-  (*,•  )Scidxi 

(=1 

and 


(22) 
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£[c(x)  |  c(x)  >  r] 


JJ-  •  j  [  q  (*1  )  +  •••  +  c„  (x„ )]  /, [c,  (x, )].../„ [c„  (x„  )]gx  (x,  )...g„ (xn  )8c{ ...Scndxl  ...dx„ 

cJ+c2+...+cff>r  _ ___ _ 

II  I  A  [c,  (x,  )].../„  [c„  (x„  )]g,  (x,  )...g„  (x„  )<?c,  ...8c„dxx  ...dx„ 

cl+c2+...+cn>r 

1  -  JJ  j[q(xi)  +  ...  +  c„  (xn  )]  A  lcl  (*1  )]•••/»  K (xn  )]Sl  (*1  )-gn  (xn )Sc\  -&C„dx , 

_ c,+ci-f...+c,<r _ _ _ _ 

-If  I  /i  [C\  (*1  )]•••/„  K  (x„  )]g,  (x, ). .  ,g„  ( x„)Scv .  ,8cndxx  ...dx„ 

c,+c2+...+c„<r 

The  mathematical  details  of  the  derivation  are  shown  in  Appendix  B.  The 
following  section  outlines  an  application  of  these  ideas  to  analyze  the  hazards  of 
a  navigation  lock  subject  to  barge  impact  and  earthquake  loads. 


5.2  Application  to  Risk  Assessment  for  Navigation 
Locks 

Consider  a  river  navigation  lock  that  could  be  subject  to  impacts  of  both 
collisions  and  earthquakes.  Let  x\  denote  the  failure  mode  due  to  collision  and 
x2  denote  the  failure  mode  due  to  earthquake.  As  noted  above,  x\  and  x2  are 
continuous  random  variables  and  can  take  on  any  value  between  0  and  1,  with 
0  representing  no  failure  (meaning  that  no  collision  or  earthquake  occurs)  and 
1  representing  a  complete  failure  that  leads  to  a  complete  dysfunctional  system. 
This  could  lead  to  the  potential  destruction  and  collapse  of  the  system.  Assume 
that  these  two  failure  modes  are  independent  and  therefore  their  consequences 
are  additive.  Let  Ci(x0  and  c2(x2)  represent  the  consequences  (damages, 
converted  to  monetary  value  in  millions  of  dollars)  caused  by  x,  and  x2 , 
respectively,  which  are  normally  distributed  with  mean  and  variance  (0.5x,, 

0. 1x0  1  and  (  2x2 , 0.4x2 ) ,  respectively.  Hence,  using  the  technique  developed 
earlier  in  this  report,  the  calculation  of  the  unconditional  expected  damage  and 
conditional  expected  damage  in  the  region  of  extreme  risk  can  be  performed. 

Suppose  the  following  five  policy  options  are  considered,  and  each  one  is 
more  sturdy  than  the  last. 

Policy  1:  If  the  Corps  spends  $1.2  million  to  build  the  lock,  then  it  is 
expected  that  x,  is  an  A(0.50,  0.20)  variable  and  x2  is  an  A(0.30,  0.10)  variable. 

Policy  2:  If  the  Corps  spends  $1.4  million,  then  it  is  expected  that  x,  is  an 
A(0.40,  0.1)  variable  and  x2  is  an  N( 0.25,  0.09)  variable. 


1  All  normal  distributions  in  this  chapter  are  truncated  and  accordingly  normalized  to 
ensure  nonnegativity. 
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Policy  3:  If  the  Corps  spends  $1.6  million,  then  it  is  expected  that  X,  is  an 
jV(0.30,  0.1)  variable  and  x2  is  an  #(0.20,  0.08)  variable. 

Policy  4:  If  the  Corps  spends  $1.8  million,  then  it  is  expected  that  x,  is  an 
N( 0.25,  0.08)  variable  and  x2  is  an  #(0.18,  0.05)  variable. 

Policy  5:  If  the  Corps  is  willing  to  spend  $2  million,  then  one  can  further 
decrease  the  hazard  due  to  both  collisions  and  earthquakes  so  that  x,  is  an 
#( 0.20,  0.05)  variable  and  x2  is  an  #(0.15,  0.04)  variable. 

Thus,  by  using  Equations  22  and  23,  one  can  calculate  the  unconditional 
expected  damage  and  conditional  expected  damage  in  the  extreme  region 
(partitioned  at  2<J ,  where  G  is  the  standard  deviation).  The  results  from  each 
policy  decision  are  shown  in  Table  5  (with  costs  and  the  damages  in  millions  of 
dollars). 


Table  5 

Example  Policies  and  Associated  Costs  and  Risks 

Policy 

Cost,  M$ 

f5,  M$ 

f4(1),M$ 

f4(2) ,  M$ 

f4,  MS 

1 

1.20 

0.03110 

0.1508 

0.18190 

0.3683 

0.8861 

1.2544 

2 

0.7395 

1.0342 

3 

N  (0.20,  0.08) 

0.00940 

0.0805 

0.2213 

0.5939 

0.8152 

4 

1.80 

N  (0.25,0.08) 

N  (0.18,  0.05) 

0.00630 

0.0452 

0.05150 

0.1844 

0.5309 

0.7153 

5 

2.00 

N  (0.20,  0.05) 

N  (0.1 5,  0.04) 

0.00314 

0.0301 

0.03324 

0.1473 

0.4423 

0.5896 

where 


xl  =  amount  of  damage  from  collision 

x2  =  amount  of  damage  from  earthquake 

f5(l)  =  expected  value  of  damage  from  collision 

f5(2)  =  expected  value  of  damage  from  earthquake 

£5  =  expected  value  of  damage  from  both  collision  and  earthquake 

f4(l)  =  conditional  expected  value  of  damage  in  the  extreme  region  from 
collision 

f4(2)  =  conditional  expected  value  of  damage  in  the  extreme  region  from 
earthquake 

f4  =  conditional  expected  value  of  damage  in  the  extreme  region  from 
both  collision  and  earthquake 
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The  cost-risk  relationships  for  the  five  policies  are  shown  in  Figures  19-22.  It 
is  evident  that,  although  the  expected  damages  are  not  high,  the  conditional 
expected  damages  could  be  extraordinarily  high.  It  is  also  clear  that  the  decision¬ 
maker  must  make  a  tradeoff  in  order  to  strike  a  balance  between  construction 
costs  and  the  robustness  of  the  lock.  Although  the  five  policies  all  appear  to  be 
Pareto  solutions,  there  may  be  a  specific  utility  function  that  renders  one  policy 
particularly  favorable. 


Figure  20.  Risk  due  to  extreme  events  versus  construction  cost 
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Figure  22.  Risk  due  to  earthquake  versus  construction  cost 
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6  Recommendations 


The  following  are  the  recommendations  required  for  Phase  2  of  the  research 
and  are  based  on  the  results  and  conclusions  of  Phase  1.  A  recommendation  to 
adopt  the  developed  methods  of  modeling  the  occurrences  of  compound  failure 
modes  as  a  Poisson  and  a  general  counting  process  is  made.  Furthermore, 
because  many  accidents  are  caused  by  rapidly  rising  water  levels  common  in 
floods  (ASCE  1998  and  other  sources1),  the  model  may  advance  along  the 
following  lines:  find  the  probability  density  function  (pdf)  of  floods  in  terms  of 
water  levels  at  the  site  in  question;  then,  find  the  pdf  of  collisions  in  terms  of 
impact  force  conditioned  on  given  water  levels  by  noting  the  collisions  that  have 
occurred  at  locks  in  a  geographical  region.  Look  at  regional  data  if  data  on 
specific  site  collisions  are  scarce;  find  the  pdf  of  direct  damage  due  to  a  given 
impact,  in  terms  of  dollars. 

Another  way  to  model  extreme  events  such  as  barge  impacts  is  scenario 
analysis  (Kaplan  1996).  This  method  is  especially  useful  when  data  are  scarce, 
which  is  the  case  with  lock  failures.  Since  the  amount  of  barge  traffic  and  the 
barge  sizes  in  the  future  are  uncertain,  forecasting  models  using  regression  and 
time  series  can  be  developed. 

Another  factor  that  warrants  a  closer  look  is  the  indirect  damage,  or  cost  due 
to  shutting  down  the  facility  and  using  alternate  ways  to  transport  goods.  This 
may  affect  the  final  tradeoff  analysis,  as  an  even  more  conservative  design  may 
be  warranted  if  the  indirect  cost  turns  out  to  be  the  overriding  one.  Once  the 
damages  due  to  different  failure  modes  can  be  reliably  estimated  (assisted  by  the 
methodology  developed  in  Phase  1  and  the  model  advancement  mentioned 
previously),  it  is  recommended  that  the  USACE 

•  Consider  complete  failures  by  trading  off  construction  cost  for  life 
expectancy  of  lock. 

•  Consider  partial  failures  by  looking  at  tradeoffs  between 

1 )  Cost  incurred  by  failure  and  cost  of  building  the  structure  initially. 

2)  Ratio  of  repair  cost  over  reconstruction  cost. 

3)  Ratio  of  impact  load  over  the  maximum  impact  the  structure  could 
withstand. 


1  Personal  Communication,  15  Dec  1999,  Professor  Roman  Krzysztofowicz,  Statistician, 
University  of  Virginia,  Charlottesville. 
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In  addition,  the  following  data  are  needed  to  perform  the  recommended  tasks 
in  Phase  2: 

•  Detailed  information  about  specific  locks,  including  diagram  of 
structure,  materials  used,  maximum  allowable  stress,  etc. 

•  Loss  to  businesses  due  to  shutdown  of  a  lock. 

•  Planning  and  construction  costs  of  new  locks.  (Useful  source:  Design 
Memorandums  for  Corps  lock  facilities.) 

•  Repair  and  reconstruction  costs  due  to  partial  or  complete  failure. 

•  Corps’  method  for  assessing  reliability  of  navigation. 

•  Historical  frequencies  of  earthquakes  of  different  magnitudes  in  the 
vicinity  of  the  locks. 

•  Historical  data  on  barge  impacts:  mass  and  sizes  of  barges,  damages 
incurred,  and  dates  of  impacts.  (Possible  source:  accident  database 
maintained  by  the  U.S.  Coast  Guard.) 

•  Experimental/field  results  on  angles  and  velocities  of  barge  impacts  to 
locks  with  new  designs. 

•  Most  current  data  on  the  mass  and  sizes  of  barge  tows  and  their  per- 
event  probabilities. 

•  Water  levels  at  specific  sites  at  the  times  of  collisions. 

Once  the  above  data  are  obtained,  the  actual  probability  distributions  of  barge 
impacts  and  earthquakes  can  be  incorporated  into  the  study  so  that  a  more  solid 
understanding  of  reliability  and  mean  time  to  failure  can  be  obtained.  Then,  the 
methodology  developed  in  Phase  1  can  be  implemented  as  a  computer  program 
to  aid  decision-making. 

To  ensure  the  accuracy  and  robustness  of  the  model’s  output,  one  must 
account  for  the  scarcity  or  lack  of  data,  as  this  may  lead  to  parameter  uncertainty 
in  the  model.  To  assess  the  robustness  of  the  model,  one  must  conduct  a 
sensitivity  analysis  in  Phase  2.  In  this,  the  goals  are  to 

•  Evaluate  the  dominant  parameters  that  will  have  major  impacts  on  the 
expected  direct  and  indirect  costs. 

•  Evaluate  the  conditional  expected  costs  in  the  region  of  extreme  risk. 

•  Identify  parameters  to  which  the  cost  is  insensitive. 
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Appendix  A 
Example  Problem 


Proof  of  Observation  1 : 

First,  the  expected  interarrival  time  for  the  compound  Poisson  process  is 
—  +  —  +  .  The  method  of  mathematical  induction  is  used  to  prove  this. 

T\  T2  Tn 


The  arrival  rate  of  process  Ej  is,  obviously,  — .  First,  consider  two 

processes,  Et  and  E2 .  From  the  preceding  lemma,  it  is  known  that  the 

.  ,  11 

compound  process  of  these  two  is  a  Poisson  process  with  arrival  rate  —  +  — . 

T\  t2 

Second,  suppose  the  arrival  rate  of  the  compound  process  of  E\,E1...Ei  is 

—  +  —  +  .  Then,  from  the  preceding  lemma,  the  arrival  rates  of  the 

T\  b  71- 


compound  process  of  E\,E2...Ei  and  EM  is 


f\  1  l' 

H - h . . .  — 

Tij 


\T,  T2 


+  - 


T, 


.  This 


(+1 


proves  that  the  expected  interarrival  time  for  the  compound  Poisson  process  is 

T  = _ 1 _ . 

T\+T^  +  '"+T^ 


Now  that  any  event  in  this  compound  process  can  cause  the  system  to  fail,  the 
mean  time  for  the  system  to  fail  is  T  ■ 


4r  +  -4“  +  . . .  + 


Proof  of  Observation  2: 

Let  N(t)  denote  the  compound  process.  Let  h(y,k)  denote  the  point 
probability  distribution  that  N(t  +  l)-N(t)  =  k,k  =  0,\,2----  Obviously, 
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Kr, k)  =  2  /(A, k-k  )gO, k ) 

k=0 

Note  that 

X  *) = 2  2  k  ~ k'  * ) 

£=0  k=0k=0 

oo  oo 

=  ^g(jU,k)  2  f(A,k-k)  =  1 
fc  =0  &-A  =0 

Furthermore, 

| ]kKr,k)='Z'Zv&k-k)g(ti,k) 

k= 0  *=0  /t=0 

OO  fc 

=  +k-k)f(X,k-k)g{^k) 

k=0  k'=0 

oo  k  oo  k 

=  22  *'/(^»  k  -  k  )g(ju,  k  )  +  2  2  (*  “  *'  )/0*»  *  _  *'  )fC“»  *'  ) 

*=0  A=0  k=0k=0 

oo  OO  oo  oo 

=  2  2  At>k-k)+'Zg(M,k)  2  (k-k)f(A,k-k) 

k  =0  k-k  =0  k'=  0  k-k=Q 

=H  +  A 

Thus,  it  is  clear  that  yV(/)  is  a  counting  process  with  rate  A  +  //. 
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Appendix  B 

Mathematical  Details  for  Partial  Failure 
Modes 


Calculations.  Let  x=(x1,x2...x„)  denote  a  vector  of  a  failure  mode,  termed  a  failure  vector,  where 
xt  e  [0, 1],  /  =  1, 2 . . . n .  Let  g(x)  =  g(x, ,x2...xn)  be  the  probability  density  function  of x.  Let  c(x)  be  the 
consequence  (e.g.,  lives  lost  or  monetary  damage)  of  failure  x.  Let/[c(x)]  denote  the  probability  density 
function  of  c(x) .  Then,  the  expected  damage  f5  can  be  calculated  as 

E[c{x)\=  JJ  - J  c(xhx2...xn )f[c(xi ,x2...xn )]g(x! ,x2...xn )Scdxdx2 ...dxn  (Bl) 

and  the  extreme-risk  function  as 

JJ  c(xx  ,x2...xn  )/[c(xj  ,x2...xn)\g{xx,x2...xn  )Scdx\  dx2...  dxn 

E\c(x)  |  c(x)  >  r]  =  — - -r - - - -  (®2) 

j  f[c(xx  ,x2  ...xn  )]g(xj  ,x2...xn  )8cdxx  dx2  . . .  dxn 

c>r 

where  r  is  the  partitioning  point  in  the  region  of  extreme  risk. 

Likewise,  the  unconditional  and  conditional  risk  function  can  be  calculated  for  any  individual  failure 
mode,  or  any  combination  of  individual  failure  modes.  For  instance,  if  one  wants  to  calculate  2s[c(x)  ] 
and  E[c{x)  \  c(x)  >  r]  for  failure  mode  1,  then 


f  fc(x! ,  0 . . .  0)/[c(x! ,  0 . . .  Oflgtx, ,  0 . . .  0)  Scdxx 

E[c(x)  1  =  — - 

J/[c(x1,0...0)]g(x1,0...0)^1 


and 


jj  c(x!,0 . . .  0)/[C(xj,0 . . .  0)]g(x1;0 . . .  0  )8cdxx 


^[cCx)  I  c(x)  >  /*]  : 


Or 


|  J  /[c(xj ,  0 . . .  0)]g(x, ,  0 . . .  0)8cdxx 


c>r 


(B3) 


(B4) 
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Bl 


If  one  is  interested  in  obtaining  E[c(x)  and  £Ic(x)  |  c(x)  >  r]  for  compound  failure  modes  x,  and  xJt 
then 


^[c(x)]  =  - 


,Xj, . ..Xj, . . . , 0)y*[c(0, . . .,Xj, .. .Xj , . . 0)]g(0,  •  ■  • » Xj , . . . , Xj , ..., 0)Scdxidxj 
j"  J*  j"  y[c( 0,  ...,Xj,  ...,Xj,.. .,0)]g(0,  ...Xj,  ...,Xj, . . .,0 ^Scdxjdxj 


(B5) 


and 


xh...Xj , ...,  0)/[c(0, X,-  ,...Xj,...,  0)]g(0, ...,  Xiy ...,  Xj 0  )dcdXidXj 


£[c(x)  |  c(x)  >  r]  = 


c>r 


J  J  J  /[c(0, Xj , Xj , 0)]g(0,  ...X; , Xj , 0)Scdxjdxj 

c>r 

Proposition  1:  If  x®  < x,-2^ ,  and  x^p  =  x^p  for  all  j&i,  then 

Jyic<^> . ^>,  . . 

<{. f[c(xP,...,xP,...x^)]c^ 


(B6) 


(B7) 


This  inequality  simply  says  that  the  expected  value  of  the  damage  is  a  nondecreasing  function  of  any  x.  In 
other  words,  if  the  failure  increases,  then  the  expected  damage  will  not  decrease,  and  in  reality,  the 
expected  damage  will  most  likely  increase. 

Independence  of  failure  modes.  Failure  modes  can  be  independent  and  interdependent.  For  instance, 
earthquakes  and  collisions  can  each  result  in  failure  of  a  navigation  lock.  However,  an  earthquake  may 
also  cause  collisions  to  occur,  and  eventually  more  damage  will  be  caused  by  the  concurrent  action  of 
these  two  failure  modes.  This  is  an  example  of  the  interdependence  of  different  failure  modes. 
Nevertheless,  in  many  cases  it  is  reasonable  to  assume  the  independence  of  different  failure  modes. 
Needless  to  say,  the  independence  assumption  can  significantly  simplify  mathematical  calculations.  One 
direct  consequence  is  that,  if  the  independence  assumption  holds,  then  xj,X2  ...x„  are  independent 
random  variables.  Thus  the  joint  distribution  of  Xj,x2  ...x„  can  be  written 

g(x,,x2...x„)  =  fj  g,(x,)  (B8) 

i=l 

where g( (x, )  is  the  marginal  distribution  of  x;- ,  where  i  =  1,2... n,  and  the  symbol  n  denotes  the 
product. 

If  the  damage  caused  by  independent  failure  modes  is  additive,  then  the  damage  function  can  be 
written  as 
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(B9) 


n 

c(xhx 2---X„)  =  ^  Cj(Xj) 
i=\ 

where  c,  ( x,)  is  the  damage  caused  by  failure  mode  xt  only,  namely, 

ci(xi)  =  c(0...,xi  ...,0)  (BIO) 

Obviously,  ct  (0)  =  0 ,  i  =  1, 2 . . .  n.  It  should  be  noted  that,  in  reality,  the  compound  damage  of  multiple 
failure  modes  may  not  be  additive. 

If  the  independence  of  failure  modes  holds  and  the  damage  is  indeed  additive,  then 
n 

f[c(xhx2...x3)]  =  U  //fate)]  (B11) 

1=1 


n 

Sc  =  Scj 

i= 1 

Therefore,  one  has  the  following  important  results: 

£[c(x)]=  JJ"  J[c1(x1)+...+cM 

n 

=  X  flCi  (*/ )/ .  tc«  (*/  )]&  (*i  )Scidxi 
;=1  ' 

and 

£[c(x)|c(x)>r] 


(B12) 


(B13) 


J  [q (xj )  +  ...  +  cn (xn )]  fx  [c,  (xx  )].../„  [c„ (xn )]gj  (x,  )...g„ (x„  )Sc\  ...Scndxx ...dxn 
C\  •  ‘^~cn  '>r 

~irn  f\ [Cl  (xx  )].../„  [cn  (xn  )]g!  (x,  )...g„  (xn  )Scx  ...8cndxx...dxn 

cl+c2+“-+c/7>r 


1  -  JJ  \[c1(xl)  +  ...  +  cn  (x„ )]  f\ [C1  (*l  )]•••/«  fo,  (*«  )]£l  (*l  )-Sn  (xn  )Scx...Scndxx...dxn 

Cl  +C2+.  •  .+cw<r 

MFI  /l  [q  (xj  )].../„  [c„  (xn  )]g]  (x,  )...g„  (x„  )Scx  ...Scndxx...dxn 

c1+c2+...+c/1<r 

(B14) 
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